<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML dir=ltr><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2995" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Tahoma size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#000000 size=2>I have several tunnels up and
operational on a old PIX-520 running 6.3(4)120</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial><FONT size=2>I want to establish a new tunnel, but I
want to static xlate my inside address to a real world address, and <SPAN
class=603084021-11122006><FONT color=#0000ff> have the destination host see
my traffic as sourced from the NAT'd address.</FONT></SPAN></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN
class=603084021-11122006> </SPAN></FONT></FONT></DIV>
<DIV><FONT face=Arial size=2>So I've build a access-list for interesting traffic
for the tunnel, built by static and have not specified the interesting
traffic in my NAT-0 access-list that I use for other
tunnels. <SPAN class=603084021-11122006><FONT
color=#0000ff> I've turned up </FONT></SPAN>debug crypto isakmp <SPAN
class=603084021-11122006><FONT color=#0000ff> on the pix but
</FONT></SPAN>I don't see any initiation.</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>My inside host on interface DMZ is
172.0.255.15 which is NAT'd to 216.26.153.12.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>So I want 172.0.255.15 to connect to the remote
host 172.30.21.216 presenting itself as sourced from the nat'd
address 216.26.153.12.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Here is what I think is relevent.</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV>ip address outside 216.26.153.4 255.255.255.128<BR>ip address dmz
172.0.255.1 255.255.255.0<SPAN class=603084021-11122006><FONT face=Arial
color=#0000ff size=2> </FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV>access-list global-vpn permit ip host 216.26.153.12 host
172.30.21.215<BR></DIV>
<DIV><SPAN class=603084021-11122006><FONT face=Arial color=#0000ff
size=2> </FONT></SPAN></DIV>
<DIV>static (dmz,outside) 216.26.153.12 172.0.255.15 netmask 255.255.255.255 0
0<BR></DIV>
<DIV>sysopt connection permit-ipsec<BR></DIV>
<DIV><SPAN class=603084021-11122006><FONT face=Arial color=#0000ff
size=2> </FONT></SPAN></DIV>
<DIV>crypto ipsec transform-set global-vpn esp-3des esp-md5-hmac<BR></DIV>
<DIV>crypto map outside 212 ipsec-isakmp<BR>crypto map outside 212 match address
global-vpn<BR>crypto map outside 212 set peer not.my.real.ip </DIV>
<DIV>crypto map outside 212 set transform-set global-vpn<BR></DIV>
<DIV>crypto map outside interface outside</DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV>isakmp enable outside<BR>isakmp key ******** address not.my.real.ip
netmask 255.255.255.255<BR>isakmp identity address</DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT><FONT face=Arial color=#0000ff
size=2></FONT><FONT face=Arial color=#0000ff size=2></FONT><BR>isakmp policy 100
authentication pre-share<BR>isakmp policy 100 encryption 3des<BR>isakmp policy
100 hash md5<BR>isakmp policy 100 group 2<BR>isakmp policy 100 lifetime
86400<BR></DIV>
<DIV><SPAN class=603084021-11122006><FONT face=Arial color=#0000ff
size=2> </FONT></SPAN></DIV>
<DIV><SPAN class=603084021-11122006> </SPAN>Any ideas, am I approaching
this correctly with the static and not using nat0 for
216.26.153.12<->172.30.21.215?</DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV>Thanks for any suggestions.</DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV>--mikej</DIV>
<DIV>Michael Jung</DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV></BODY></HTML>